You might take a look at the Thoughtbot Suspenders template Rails app. It contains a deploy.rb that prompts you for a db password when you run cap deploy:setup and stores that password in a shared file on the remote DB server.
http://bit.ly/QcrOl The database.yml file is then setup to pull the password from this shared file: http://bit.ly/svm27 The primary benefit here being that you don't store the password in your SCM. Glenn On May 20, 6:27 pm, "S. Robert James" <[email protected]> wrote: > We have our cap deploy setup to take a new app server from zero to > working, all automatically. > > One issue we're getting stuck with is: Where to store the database > password? > > I'll show you what we thought of, and why we don't like it. I'm sure > some of the pros here have already grappled with this, so I'd like to > here what you say. > > 1. Store in cap deploy files. > PROBLEM: We don't want every developer who ever had access to cap > deploy source to know the passwords. > > 2. Store in file on each server. > PROBLEM: This would require manual setup of a new server. > PROBLEM: Even if we accept to do it manually, in the course of doing > so, it's quite likely that the password will get emailed around. > "Anyone remember the pw to setup a new server? The box is down and I > need to do a replacement quick." > > 3. Use a nonpassword system > Windows supports authentication via user account on a known machine. > I'm not sure how it works, or how secure it is. Haven't found any > simple, secure way to do this via Linux. The ideal would be to tell > the database server "If user rails_app on any of the local machines > wants to connect, they don't need a password." But I'm not sure if > there is a simple and secure way to do this. > > 4. Use some type of encryption > I'm not sure how to use this to solve problems. The key needs to go > somewhere, and so we're back to square one, on where to store the key. > > What do you do? Is there a best practice? What do the large > enterprise / J2EE shops do? --~--~---------~--~----~------------~-------~--~----~ To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/capistrano -~----------~----~----~----~------~----~------~--~---
